Built for nonprofit agencies — 14-day free trial

A cert expiry on a 501(c)(3) donor portal isn't a downtime event — it's a state charitable-solicitation registration breach and an IRS Form 990 e-filing dependency that ties into §6033(j) auto-revocation timelines.
The Taxpayer First Act §3101 (P.L. 116-25) made e-filing mandatory; §6033(j) IRC auto-revokes tax-exempt status after 3 consecutive years of failure to file; donors lose §170(c)(2) deductibility on revocation.

Nonprofit agencies building tech for 501(c)(3) charities, private foundations, religious orgs, and advocacy nonprofits — donor portals, payment processing, board- document portals, state registration filings, IRS e-filing — deal with state charitable-solicitation registration portal cert expiry breaking annual renewals across 41 states + DC (CA AG charitable-trust enforcement, NY AG under NY Executive Law §172, FL DACS, IL AG), IRS Form 990 Modernized e-File (MeF) cert chain failures plus §6033(j) tax-exempt-status auto-revocation risk under the Taxpayer First Act §3101 (P.L. 116-25, July 2019), and donor-portal + PCI-DSS payment-processing cert expiry triggering PCI Forensic Investigator (PFI) review under SAQ A / SAQ A-EP. Merlonix monitors every nonprofit- attached subdomain so the state-AG + IRS MeF + PCI exposure surfaces 30 days before the failure window opens.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where nonprofit agencies get caught out

Three failure modes where SSL expiry creates state charitable-solicitation registration breaches across 41 states + DC, IRS Form 990 Modernized e-File chain failures plus §6033(j) auto-revocation timeline exposure, and donor-portal + PCI-DSS cert expiry triggering PCI Forensic Investigator review.

Nonprofit agencies building tech for 501(c)(3) charities, private foundations, religious orgs, and advocacy nonprofits — donor portals, payment processing, board- document portals, state registration filings, IRS e-filing — deal with state charitable-solicitation registration portal cert expiry breaking annual renewals across 41 states + DC (CA AG charitable-trust enforcement under Cal. Gov. Code §12586, NY AG under NY Executive Law §172 + §175, FL DACS under Fla. Stat. §496, IL AG under 225 ILCS 460), IRS Form 990 Modernized e-File (MeF) cert chain failures plus §6033(j) tax-exempt-status auto-revocation risk under the Taxpayer First Act §3101 (P.L. 116-25, July 2019), and donor-portal + PCI-DSS payment-processing cert expiry triggering PCI Forensic Investigator (PFI) review under SAQ A / SAQ A-EP.

41 states + DC require charitable-solicitation registration before any nonprofit can solicit donations from residents. The Unified Registration Statement (URS) covers some states; many states require their own forms (CA, NY, FL, IL, PA, MA, NJ, TX, and others). State AG enforcement is active: CA AG charitable-trust enforcement actions can hit $300k+ per violation under Cal. Gov. Code §12586 + §12587; NY AG charitable-fraud enforcement under NY Executive Law §172 (registration required) + §175 (penalties up to $1,000 per violation per day); FL DACS under Fla. Stat. §496; IL AG under 225 ILCS 460. Most states require annual renewal by registration anniversary or fixed Q1/Q2 dates. Reinstatement after lapse requires back-fees plus penalties ($1,000-25,000 per state depending on duration of lapse and amount solicited during the lapse)

A nonprofit agency operates a state-registration filing proxy (state-filings.nonprofitname.org) for a 36-state-registered national 501(c)(3). The cert on state-filings.nonprofitname.org expires during the Q1 renewal window. Over a 9-day window, 8 state renewals lapse. The CA AG sends a §17511 notice. The nonprofit's Q1 fundraising in those states is technically unlawful solicitation under the lapsed registrations. Reinstatement requires back-fees plus per-state penalties

A nonprofit agency operates the state-registration filing proxy for a national 501(c)(3) charity registered in 36 states (the major-population states plus several mid-sized states where the org has active fundraising programs — CA, NY, FL, TX, IL, PA, MA, NJ, OH, GA, NC, VA, WA, MI, AZ, CO, MD, MN, MO, WI, IN, TN, SC, KY, LA, OK, OR, CT, IA, AR, NV, KS, MS, AL, NM, UT). The proxy at state-filings.nonprofitname.org sits between the nonprofit's back-office accounting system (Sage Intacct in this case) and the various state portals: CA AG Registry of Charitable Trusts (ag.ca.gov/charities), NY AG Charities Bureau (charitiesnys.com), FL DACS (csapp.fdacs.gov), IL AG Charity Bureau (illinoisattorneygeneral.gov), and 32 others. Each state has its own annual renewal deadline: CA RRF-1 is due 4 months 15 days after fiscal year-end (so May 15 for calendar-year nonprofits); NY CHAR500 is due May 15 with extension to Nov 15; FL is due 1 year after registration anniversary; IL is due 6 months after fiscal year-end. The proxy authenticates to the state portals using state-specific credentials and submits the renewal package (financial statements, 990 reference, governance disclosures). The cert on state-filings.nonprofitname.org is provisioned via Let's Encrypt with a 90-day cycle. The renewal automation has an interaction with the agency's recently-deployed Cloudflare Access policy (rolled out Q4 2025 to add zero-trust to internal admin endpoints); the Access policy applies to the cert-validation health-check endpoint that the LE renewal job uses to confirm the renewal succeeded. The Access policy returns 403 to the unauthenticated health-check; the LE renewal job interprets the 403 as a renewal failure and silently retries. After 14 retries the rate-limit budget is exhausted. The previous cert expires on a Wednesday in mid-Q1 renewal season (early March, when CA + NY + IL all have active renewal-window obligations). The agency's monitoring catches the cert expiry as an alert but the alert routes to a Slack channel that the agency's shared engineering team checks every 4-8 hours during normal load. By the time an engineer sees the alert and triages, 6 hours have passed. Over the next 9 days (the time it takes to fix the Cloudflare Access misconfiguration, regenerate the cert via DNS-01 challenge, redeploy across the proxy's adapter ecosystem, and re-validate against each state portal — some state portals require additional whitelist-update tickets when source cert chains change), the nonprofit's back-office tries to submit Q1 renewals through the proxy. The submissions queue at the proxy and don't transmit. The nonprofit's Director of Compliance assumes the renewals were filed because the back-office system shows them as "submitted" (the queue depth isn't visible from the back-office UI). 8 state renewals lapse during the 9-day window: CA RRF-1, NY CHAR500, FL Charitable Solicitation registration, IL AG-PMT-2, MA Form PC, NJ CRI-200, PA BCO-10, MN AG charitable-org renewal. Each state has its own grace-period treatment: CA allows reinstatement with back-fees + late penalties under Gov. Code §12586.1 (penalty up to $200/day per missed filing); NY imposes penalties under Executive Law §175 ($25 to $1,000 per violation per day, AG discretion); FL imposes a flat $1,000 reinstatement fee plus penalty up to $5,000; IL similar. After 28 days post-lapse, the CA AG's Registry of Charitable Trusts sends a §17511 notice (Cal. Gov. Code §12586) — a formal demand for compliance with cure period. During the cure period, the nonprofit's Q1 fundraising in California is technically unlawful solicitation under §17510.5 (which prohibits solicitation by a charity not in good standing on the Registry); donations received during the lapse are not unlawful to receive (per CA AG guidance) but the act of solicitation is unlawful. The nonprofit's Q1 California fundraising included a major-donor cultivation event (banquet for $5k+ donors) and a digital campaign that targeted CA residents; the org raised $640k from CA in Q1; the CA AG's notice references this volume in determining the penalty. Outside nonprofit counsel is engaged. Counsel coordinates with the AG's office; the resolution is a Stipulated Settlement requiring back-payment of registration fees ($800), late penalties ($14,400 = $200/day × 72 days), and a public disclosure on the next 5 years of CA RRF-1 filings ("organization was previously suspended from the Registry"). Total resolution across all 8 states: ~$94k in fees + penalties. The nonprofit's board of directors is notified; the audit committee opens a special review of the agency relationship. The agency's engagement contract with the nonprofit includes a compliance-systems SLA and indemnity; the indemnity covers the back-fees but disputes coverage of the per-day penalties (the nonprofit and the agency are in negotiation). The nonprofit's donor-trust narrative is impacted; the major-donor banquet attendees (some of whom are board members of other CA charities) hear about the issue through the small-world CA charity community. The agency loses two prospect contracts in the Q2 pipeline.

Taxpayer First Act §3101 (P.L. 116-25, signed July 2019) requires all 501(c)(3)s to file Form 990 electronically for tax years beginning after July 1, 2019. IRS Modernized e-File (MeF) is the IRS's electronic-filing system. §6033(j) of the Internal Revenue Code — failure to file Form 990 (or Form 990-EZ or Form 990-N) for 3 consecutive years results in automatic revocation of tax-exempt status, effective the date the third year's filing was due. Once revoked, the organization must apply for reinstatement under Rev. Proc. 2014-11; reinstatement is not automatic and may require back-filing. The IRS's Pub 78 (Tax Exempt Organization Search at apps.irs.gov/app/eos) is updated approximately 30 days after revocation. Donors who give to a revoked organization lose deductibility under §170(c)(2). Cert chain mismatch with IRS MeF approved-CA list is a common failure mode for filing proxies operated by nonprofit agencies — the IRS MeF system has specific TLS expectations and rejects connections that don't chain through approved CAs

A nonprofit agency operates an IRS e-filing proxy (mef.agencyname.com) for a portfolio of 280 small/mid 501(c)(3) clients. A cert chain mismatch with IRS MeF approved-CA list during the late-Q2 filing window (Form 990 due 4.5 months after fiscal year-end, so May 15 for calendar-year nonprofits) causes 38 client returns to fail to acknowledge. Some clients are in year 2 of late filings; if not resolved before the 3-year window closes, §6033(j) auto-revocation triggers; the IRS Pub 78 listing is updated 30 days after; donors lose §170(c)(2) deductibility

A nonprofit agency operates the IRS e-filing proxy for a portfolio of 280 small-to-mid 501(c)(3) clients (annual revenue range $50k to $5M; mostly smaller orgs that can't afford full-time accounting staff and rely on the agency for compliance work). The proxy at mef.agencyname.com submits Form 990, Form 990-EZ, and Form 990-N (e-Postcard) returns to the IRS Modernized e-File (MeF) system on behalf of clients. The MeF system has specific TLS expectations: it accepts certs chaining through the approved-CA list documented in IRS Publication 4164 (Modernized e-File Guide for Software Developers and Transmitters); the approved-CA list includes DigiCert, Entrust, IdenTrust, GlobalSign, Sectigo, and a handful of others. Cert chain validation is enforced at the MeF transmission layer. The cert on mef.agencyname.com was previously provisioned through DigiCert (an approved CA). When the agency's primary engineer left in late 2025, the new engineer migrated the cert to Let's Encrypt as part of a cost-reduction project (LE is free; DigiCert was costing $400/year for the wildcard). The migration succeeded for general-public connections but introduced a chain-anchor mismatch: LE chains through ISRG Root X1 and ISRG Root X2; the MeF approved-CA list (per IRS Pub 4164 as of the migration date) doesn't include ISRG anchors. The migration was tested against a sample MeF submission for a small client (Form 990-N e-Postcard), which happened to succeed because the IRS MeF test environment (Acceptance/A2A) at the time of testing had a more permissive cert acceptance policy than production. The production submissions began failing immediately after the migration but the failures were silent — MeF returns an HTTP 200 with an XML error envelope; the proxy's response-parsing logic was looking for a specific success element and treating its absence as "submission queued for IRS processing" rather than "submission rejected." The acknowledgment-receipt logic was waiting for an IRS acknowledgment (which can take 24-72 hours per IRS Pub 4164); when no acknowledgment arrived after 72 hours, the proxy logged a "pending acknowledgment" warning that was not surfaced to the agency's engineers. The migration happened in late January 2026. By early May 2026 (the May 15 calendar-year deadline week), the agency had submitted 38 client returns through the broken proxy. None had received MeF acknowledgments. Discovery happens May 8 when one of the larger clients (an arts-education nonprofit with $2.4M revenue) contacts the agency asking for a copy of the IRS acknowledgment for their Form 990 — the client's board treasurer needs it for the upcoming board meeting. The agency engineer pulls the proxy logs and discovers all 38 returns are in "pending acknowledgment" state. Triage identifies the chain-anchor mismatch. Resolution requires obtaining a new cert from a DigiCert / Entrust / IdenTrust account (the agency had cancelled the DigiCert account on migration; opening a new account takes 4-8 business days for KYC verification), installing the cert, and re-submitting all 38 returns. By the May 15 deadline, only 22 of 38 submissions are successfully acknowledged. The remaining 16 are submitted but in pending state at the IRS; whether they're considered timely-filed depends on IRS interpretation of the postmark rule for electronic filing (§7502(a) and Reg. §301.7502-1(c) provide that electronic submission timestamp is the postmark date; if the IRS receives a submission timestamped May 15 but processes it later, it's timely; the question is whether the submissions queued at the proxy on May 14-15 will be considered timestamped at submission time or at IRS receipt). Outside tax counsel is engaged. Of the 38 affected clients, 4 are in year 2 of late filings (their year-1 lapse was pre-existing when they signed with the agency; the agency was supposed to bring them current). For those 4, if the year-3 filing is not properly received by the IRS by an extended deadline (Form 8868 extension can extend to Nov 15), §6033(j) auto-revocation triggers retroactive to May 15. Auto-revocation means: (1) the org loses tax-exempt status; (2) the IRS Pub 78 listing is updated approximately 30 days after revocation; (3) donors who gave during the revocation year may file amended returns to claim back the §170(c)(2) deduction (donors won't but the org has a notification obligation under best-practice guidance); (4) the org must apply for reinstatement under Rev. Proc. 2014-11 ($600 user fee + back-filing of all 3 years of 990s); (5) the IRS may impose excise tax under §4958 for excess benefit transactions if the org continued to operate as if exempt during the post-revocation period. The agency files extensions (Form 8868) for all 38 clients on May 14 to buy time; the extensions are granted; the chain-mismatch issue is resolved by May 22; all submissions are accepted by June 3. The 4 year-2 clients are current as of June 3 — auto-revocation is averted by 12 weeks. The agency's engagement contract triggers an indemnity claim from the 4 affected clients; settlement is approximately $24k across the four. The agency's reputation in the small-nonprofit accounting market takes a hit; one prospect contract pauses pending review. The agency rolls back the Let's Encrypt migration on the MeF proxy and returns to DigiCert; the cost reduction is reversed.

Donor portals process payment-card data via Stripe / Network for Good / Donorbox / Classy / Blackbaud Merchant Services. The processor handles the actual card-data flow, but the portal that captures donor identifying info (name + email + address + sometimes donor-advised-fund details for major-gift donors) operates under PCI SAQ A (if the portal redirects to the processor and never touches card data) or SAQ A-EP (if the portal hosts an iframe or form-fragment from the processor). Both SAQ A and SAQ A-EP require TLS for all connections handling cardholder data, which includes the donor-portal subdomain that frames the processor. Cert expiry on the donor-portal subdomain triggers PCI compliance failure under PCI DSS Requirement 4 (encrypt transmission of cardholder data). Acquiring banks may require a PFI (PCI Forensic Investigator, qualified by the PCI Council) investigation for material compliance failures — PFI engagements cost $25k-100k. Processor-level fines accrue at $5k-50k/month until remediation. CCPA notification under Cal. Civ. Code §1798.82 may apply if California-resident donors are affected

A nonprofit agency operates the donor portal (donor.orgname.org) for a 50-state-registered national 501(c)(3) with high-volume Giving Tuesday traffic. The cert on donor.<orgname>.org expires during Giving Tuesday week. Over a 24-hour cert-expired window, 18,000 donor sessions hit the portal; 2,200 successful donations transmit donor name + email + address (and for major-gift donors, donor-advised-fund details) over the expired cert. Stripe flags the activity in monthly review. The acquiring bank may require a PFI investigation; PFI cost $25k-100k; processor-level fines $5k-50k/month until remediation. CCPA notification under §1798.82 triggers

A nonprofit agency operates the donor portal for a national 501(c)(3) charity registered in all 50 states with a high-volume year-end giving program. The portal at donor.orgname.org is a custom build (not a hosted Donorbox/Classy embed) that integrates with Stripe via Stripe Elements (an iframe-embedded card field that puts the org under PCI SAQ A-EP scope rather than the lower SAQ A scope). The portal collects donor identifying info: first + last name, email, mailing address, optional phone, donation amount, donation designation (program area), recurring-vs-one-time selection, and for major-gift donors a donor-advised-fund (DAF) field that captures the DAF sponsor (Fidelity Charitable, Schwab Charitable, Vanguard Charitable, National Philanthropic Trust, etc.) and the DAF account-holder advisor name (used for gift-acknowledgment and donor-stewardship purposes). Card data flows through Stripe Elements and never touches the donor.orgname.org server, but the portal is in PCI SAQ A-EP scope because it hosts the iframe; PCI DSS Requirement 4 (encrypt transmission of cardholder data across open, public networks) and Requirement 6 (develop and maintain secure systems) apply to the portal. The cert on donor.orgname.org is provisioned via Let's Encrypt with a 90-day cycle. The renewal cycle for the current cert was scheduled for late-November 2025 — squarely in Giving Tuesday week (Giving Tuesday 2025 was Tuesday December 2). The renewal job ran November 26 (the Wednesday before Thanksgiving) and failed because the agency's DNS provider was undergoing a planned maintenance window that morning that briefly affected DNS-01 challenge response. The renewal automation logged the failure and was supposed to retry in 12 hours; the retry logic had a bug introduced in a refactor 6 weeks earlier — the retry counter was resetting on each retry, causing the job to give up after 3 retries instead of the configured 14. By Friday November 28 (Black Friday), the renewal had stopped attempting. The cert was still valid (60 days remaining at that point). The agency's monitoring was configured to alert at 14 days and at 7 days before expiry, plus an hourly check during the final 24 hours; the 14-day alert wasn't triggered yet. The cert expires on a Tuesday morning at 4:18 AM — Giving Tuesday morning. Donor traffic begins surging at 6 AM PT as the East Coast wakes up. By 8 AM PT, the portal has received 4,200 donor sessions; by noon, 11,000; by end-of-day, 18,000 across the 24-hour cert-expired window. Mobile Safari hard-blocks; iOS users (about 35% of donor traffic) can't complete donations. Chrome shows the warning page; many donors click through (the orgname.org brand is well-known and trusted; the URL is correct). Of the 18,000 sessions, 2,200 successfully complete donations — submitting donor name + email + address through Stripe Elements (which itself uses TLS to Stripe directly via the iframe's own connection) but with the wrapping page connection (donor.orgname.org) on an expired cert. Of the 2,200 donations, 380 are major-gift donations ($1,000+) and 60 of those include DAF details. Discovery happens Tuesday at 4:30 PM when the org's Director of Development gets calls from major donors saying their browser is "warning them" about the donation page. The Director escalates to the org's IT contact, who pages the agency's on-call. The agency engineer triages and identifies the cert expiry. Resolution requires manual cert renewal via DNS-01 challenge (working around the original DNS-provider maintenance issue, which has resolved by then but the automation hasn't recovered). Cert is renewed and deployed by 6:45 PM PT, ~14.5 hours after expiry. The org's Giving Tuesday total is significantly down vs. forecast (the org raised $4.2M vs. forecast $5.8M); the development team can't precisely attribute the gap to the cert outage but estimates 20-30% of the gap. The PCI implications are escalated immediately. Stripe's monthly compliance review (run on the 5th of the following month) flags the Giving Tuesday traffic anomaly: an unusually high rate of dropped sessions on the donor.orgname.org domain combined with browser security warnings reported through Stripe's integration health metrics. Stripe's compliance team contacts the org's account manager. The org's acquiring bank (a Tier 1 US bank that processes the org's payment volume) is notified. The acquiring bank reviews the incident under its acquirer-level PCI compliance obligations (acquirers are obligated under their card-brand agreements to ensure merchants maintain PCI compliance). The acquirer's risk team determines a PFI investigation is warranted given (a) PCI DSS Requirement 4 violation duration (14.5 hours), (b) volume of affected sessions (2,200 successful transactions), and (c) the org's $50M+ annual processing volume. The PFI engagement is scoped: the acquirer selects a PFI from the PCI Council's qualified PFI list; the investigation reviews the cert lifecycle, the renewal automation failure, the agency's incident response, and the data potentially exposed; PFI cost is approximately $48k for the scoped engagement. The processor (Stripe) imposes a compliance-failure fine of $25k/month for 2 months until remediation steps are validated by the PFI. CCPA notification under Cal. Civ. Code §1798.82 triggers — of the 2,200 affected donors, an estimated 280 are California residents based on address-zip analysis; the org notifies within the §1798.82 timeline (without unreasonable delay; the notification is sent 18 days post-discovery). California AG's Office is informed under §1798.82 reporting obligations. The org's Form 990 Schedule O (supplemental information) for the affected fiscal year will reference the incident under best-practice disclosure guidance (the IRS doesn't require it but most large nonprofits voluntarily disclose material cybersecurity incidents that affect donors). The agency's engagement contract with the org includes a cybersecurity SLA and indemnity; the indemnity is triggered. The agency's cyber-liability insurance is engaged; the policy covers PFI costs and processor fines but not lost giving (which is harder to quantify and not covered under most cyber policies). The agency's reputation in the national nonprofit-tech vendor market is impacted; two prospect contracts in the Q1 pipeline pause pending the PFI report. The PFI report is delivered 11 weeks post-incident; remediation requirements include implementing certificate-monitoring with automatic alerting at 30/14/7/1 day intervals, deploying a cert-renewal-automation health check that doesn't silently fail, and adopting a backup-CA cert as a hot-failover.

How it works

SSL and DNS monitoring for nonprofit agencies across donor portals (PCI SAQ A / SAQ A-EP scope with PFI-investigation exposure), IRS Form 990 Modernized e-File proxies (Taxpayer First Act §3101 + IRC §6033(j) auto-revocation exposure), and state-registration filing proxies (41-state charitable-solicitation registration exposure with state AG enforcement under Cal. Gov. Code §12586, NY Executive Law §172, Fla. Stat. §496, 225 ILCS 460).

Merlonix monitors SSL expiry and DNS integrity across every nonprofit-attached subdomain — donor.* (donor portal under PCI SAQ A or SAQ A-EP scope), mef.* (IRS Form 990 e-filing proxy with MeF-chain-validation requirements), state-filings.* (state charitable-solicitation registration filing proxy across 41 states + DC), board.* (board-document portal) — and catches cert expiry before any donor portal can transmit donor name + email + address + DAF details over an expired cert and trigger PCI SAQ A / A-EP failure plus a PFI investigation, before any IRS Form 990 submission can fail to chain-validate and put §6033(j) auto-revocation timelines at risk, and before any state charitable-solicitation registration renewal can lapse during the Q1 / May 15 renewal window. Each nonprofit subdomain gets independent monitoring because each one carries independent regulatory exposure that flows back to the agency under the engagement's cybersecurity SLA + compliance-systems indemnity.

Add every nonprofit-attached subdomain — donor., mef., state-filings., board., plus the org's primary marketing domain — with DNS TXT verification that catches cert expiry on state-AG + IRS MeF + PCI-scope infrastructure 30 days before the failure window opens

Verify ownership with a DNS TXT record on the apex domain. All nonprofit-attached subdomains under that apex — donor.* (donor portal under PCI SAQ A or SAQ A-EP scope), mef.* (IRS Form 990 e-filing proxy), state-filings.* (state charitable-solicitation registration filing proxy), board.* (board-document portal) — are added without additional verification. Monitoring every nonprofit-attached subdomain catches cert expiry 30 days before the failure window opens — well before any donor portal can transmit donor name + email + address + DAF details over an expired cert and trigger PCI SAQ A / A-EP failure plus a PFI investigation, well before any IRS Form 990 submission can fail to chain-validate against the MeF approved-CA list and put §6033(j) auto-revocation timelines at risk for clients in year 2 of late filings, and well before any state charitable-solicitation registration renewal can lapse during the Q1 / May 15 renewal window. Under two minutes per nonprofit.

CAA inheritance monitoring across nonprofit IT cybersecurity audits, board-mandated security policy refreshes, Cloudflare Access rollouts, and registrar changes — surfacing the CAA tightening or zero-trust-policy interaction that breaks Let's Encrypt renewal during peak Giving Tuesday, May 15 990 deadline, and Q1 state-renewal windows

Three independent DNS resolvers check every CNAME and CAA record on every monitoring interval, walking the CAA inheritance chain from the apex up. When a nonprofit's board-mandated cybersecurity policy refresh tightens CAA records, or when a Cloudflare Access policy rollout interacts with a Let's Encrypt renewal job's health-check endpoint, the change is detected in the first check cycle — well before the next 90-day cert renewal hits the issue and silently fails. The implications are particularly important during peak windows: Giving Tuesday week (first Tuesday in December — 30%+ of annual giving for some orgs), May 15 (Form 990 calendar-year deadline), and Q1 (most state charitable-solicitation registrations renew Q1 or by May 15).

SSL monitoring 30 days before expiry across donor portals, IRS MeF e-filing proxies, and state-registration filing proxies — independent per-subdomain checks because each one has independent regulatory exposure (PCI SAQ A/A-EP, IRS §6033(j), state AG enforcement)

Full SSL chain validation on every nonprofit-attached subdomain. Independent checks per-subdomain catch cert expiry 30 days before the failure window opens — enough time to coordinate any chain validation requirements with the IRS MeF approved-CA list (per IRS Pub 4164; Let's Encrypt's ISRG anchors are not on the MeF approved-CA list, so the MeF proxy needs a DigiCert / Entrust / IdenTrust / Sectigo cert), test the new cert against Stripe Elements iframe-embedding behavior on the donor portal, validate against state portal authentication flows (CA AG Registry, NY AG Charities Bureau, FL DACS each have varying TLS expectations), and avoid deploy collisions with peak Giving Tuesday + May 15 + Q1 windows. The 30-day lead time covers both the 90-day Let's Encrypt cert cycle and the worst-case commercial-CA account-opening cycle for the MeF proxy.

Vendor status for the major nonprofit-tech platforms (Salesforce Nonprofit Cloud, Blackbaud Raiser's Edge / NXT, Bloomerang, Donorbox, Classy, Network for Good, GuideStar / Candid), state AG charitable-registration portals, IRS Modernized e-File status, and Let's Encrypt — to distinguish vendor-side incidents from per-nonprofit SSL configuration failures

Merlonix monitors Salesforce Nonprofit Cloud status, Blackbaud Raiser's Edge / NXT status, Bloomerang, Donorbox, Classy, Network for Good, the GivingTuesday infrastructure, GuideStar / Candid (the IRS Pub 78 mirror used by donors to verify §170(c)(2) deductibility), the major state AG charitable-registration portals (CA AG Registry of Charitable Trusts, NY AG Charities Bureau, FL DACS), IRS Modernized e-File system status, and Let's Encrypt alongside the nonprofit's cert state — so when Blackbaud has an enterprise-wide incident during Giving Tuesday week, you see the vendor event clearly rather than spending hours investigating whether the org's donor.* subdomain has a cert problem. Vendor status monitoring is also useful for distinguishing an IRS MeF system-side outage during the May 15 deadline rush from a per-org chain-validation configuration failure.

What the numbers mean for nonprofit agencies

Monitoring built for nonprofit agencies where one client portfolio means a donor portal (PCI SAQ A / SAQ A-EP scope with PFI-investigation exposure of $25k-100k plus processor-level fines of $5k-50k/month), an IRS Form 990 e-filing proxy (Taxpayer First Act §3101 mandate + §6033(j) 3-consecutive-year auto-revocation timeline + §170(c)(2) donor-deductibility loss on revocation), and a state-registration filing proxy (41 states + DC with annual renewal cycles and state AG enforcement under Cal. Gov. Code §12586, NY Executive Law §172 + §175 of $25-$1,000 per violation per day) — each with independent regulatory implications when a cert silently expires and the agency's engagement contract inherits the compliance-systems indemnity.

Nonprofit agencies operating client-facing tech for 501(c)(3) charities, private foundations, religious orgs, and advocacy nonprofits need monitoring that recognizes each nonprofit- attached subdomain has independent regulatory exposure — because the donor-portal-side failure is silent (donors click through the browser warning to submit donations on Giving Tuesday; Stripe's monthly compliance review flags the anomaly weeks later; the acquiring bank requires a PFI investigation), the IRS-MeF-side failure is silent (the proxy accepts submissions and waits for acknowledgments that never arrive; pending-acknowledgment warnings don't surface; May 15 deadline passes; clients in year 2 of late filings approach the §6033(j) 3-year auto-revocation cliff), and the state-registration-side failure is silent (the back-office system shows renewals as "submitted" but the proxy queue never transmits; CA AG sends a §17511 notice 28 days post- lapse; the org's Q1 California fundraising is technically unlawful solicitation under §17510.5).

< 10 min

Time from DNS change to alert — catches CAA tightening introduced by nonprofit board-mandated cybersecurity-policy refreshes (most large nonprofits have rolled out commercial-CA-only CAA pinning over the past 24 months) and Cloudflare Access policy interactions with Let's Encrypt renewal health-checks that silently break renewals on donor portals, MeF e-filing proxies, and state-filings proxies before the next 90-day cycle, plus registrar nameserver changes during peak Giving Tuesday + May 15 + Q1 windows

30 days

SSL expiry warning lead time — enough time to coordinate chain validation with the IRS MeF approved-CA list (per IRS Pub 4164; Let's Encrypt's ISRG anchors are not on the MeF approved-CA list), test the new cert against Stripe Elements iframe-embedding on the donor portal, validate against state AG charitable-registration portal authentication flows, and avoid deploy collisions with Giving Tuesday + May 15 + Q1 peak windows

11 vendors

Upstream services monitored — Salesforce Nonprofit Cloud, Blackbaud Raiser's Edge / NXT, Bloomerang, Donorbox, Classy, Network for Good, GivingTuesday, GuideStar / Candid, the state AG charitable-registration portals (CA AG Registry of Charitable Trusts, NY AG Charities Bureau, FL DACS), IRS Modernized e-File status, and Let's Encrypt. Distinguishes a vendor-side platform incident from a per-nonprofit SSL configuration failure

200 assets

Maximum monitored domains on the Agency plan — covers a full nonprofit-vertical portfolio: 30+ 501(c)(3) clients each with donor.*, mef.*, state-filings.*, board.*, sso.*, and apex subdomains, plus private foundation clients with grants.* + board.* + apex subdomains. Multi-program orgs operating distinct fundraising sub-brands under separate subdomains are absorbed without per-domain fees

Pricing

Flat monthly fee. Every nonprofit-attached subdomain, every donor portal, every IRS MeF proxy included.

No per-nonprofit charges. No per-state-registration fees. Pick the tier that fits your nonprofit-vertical portfolio and monitor every regulated subdomain (donor.*, mef.*, state-filings.*, board.*) under each client's apex without billing surprises.

See full feature comparison →

Starter

For solo developers or two-person agencies operating a single 501(c)(3)'s donor portal, IRS MeF e-filing proxy, and state-registration filing proxy under one apex domain.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For nonprofit agencies managing 5-10 nonprofit clients with separate donor.*, mef.*, state-filings.*, and board.* subdomains per org, plus the org's primary marketing domain.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full nonprofit-vertical client roster including national 501(c)(3)s registered in 41+ states, private foundations with grants-management portals, religious orgs with multi-affiliate fundraising sub-brands, and IRS MeF e-filing proxies serving 280+ small/mid 501(c)(3) clients with donor.* + mef.* + state-filings.* + board.* + sso.* + apex subdomains per client.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when donor.orgname.org is approaching cert expiry — 30 days before a Giving Tuesday morning cert failure can trigger a PFI investigation and a §1798.82 CCPA notification cascade across 280 California-resident donors.

Add your first nonprofit subdomain in under two minutes. Donor portals, IRS MeF e-filing proxies, state-registration filing proxies, and board-document portals across every 501(c)(3), private foundation, and religious org client in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →